diff --git a/nursery/persist-via-aedebug-registry-key.yml b/nursery/persist-via-aedebug-registry-key.yml new file mode 100644 index 00000000..aa185cc8 --- /dev/null +++ b/nursery/persist-via-aedebug-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via AeDebug registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows NT\\CurrentVersion\\AeDebug/i + - string: /Debugger/i diff --git a/nursery/persist-via-amsi-registry-key.yml b/nursery/persist-via-amsi-registry-key.yml new file mode 100644 index 00000000..f22cfdf6 --- /dev/null +++ b/nursery/persist-via-amsi-registry-key.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: persist via AMSI registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://learn.microsoft.com/en-us/windows/win32/amsi/dev-audience + features: + - and: + - match: set registry value + - string: /Microsoft\\AMSI\\Providers\\/i diff --git a/nursery/persist-via-app-paths-registry-key.yml b/nursery/persist-via-app-paths-registry-key.yml new file mode 100644 index 00000000..d937b723 --- /dev/null +++ b/nursery/persist-via-app-paths-registry-key.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: persist via App paths registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Hijack Execution Flow::Path Interception by PATH Environment Variable [T1574.007] + references: + - https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows\\CurrentVersion\\App Paths\\/i diff --git a/nursery/persist-via-appcertdlls-registry-key.yml b/nursery/persist-via-appcertdlls-registry-key.yml new file mode 100644 index 00000000..aede046c --- /dev/null +++ b/nursery/persist-via-appcertdlls-registry-key.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: persist via AppCertDlls registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution::AppCert DLLs [T1546.009] + references: + - https://skanthak.hier-im-netz.de/appcert.html + features: + - and: + - match: set registry value + - string: /System\\(CurrentControlSet|ControlSet001)\\Control\\Session Manager\\AppCertDlls/i diff --git a/nursery/persist-via-appx-registry-key.yml b/nursery/persist-via-appx-registry-key.yml new file mode 100644 index 00000000..d7c9dbd6 --- /dev/null +++ b/nursery/persist-via-appx-registry-key.yml @@ -0,0 +1,22 @@ +rule: + meta: + name: persist via AppX registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/ + features: + - and: + - match: set registry value + - or: + - string: /Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\/i + - and: + - string: /ActivatableClasses\\Package\\/i + - string: /DebugInformation/i + - string: /DebugPath/i diff --git a/nursery/persist-via-autodialdll-registry-key.yml b/nursery/persist-via-autodialdll-registry-key.yml new file mode 100644 index 00000000..01c68e8e --- /dev/null +++ b/nursery/persist-via-autodialdll-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via AutodialDLL registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://learn.microsoft.com/en-us/windows/win32/rras/autodial-connection-operations + - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ + features: + - and: + - match: set registry value + - string: /System\\(CurrentControlSet|ControlSet001)\\Services\\WinSock2\\Parameters/i + - string: /AutodialDLL/i diff --git a/nursery/persist-via-autoplayhandlers-registry-key.yml b/nursery/persist-via-autoplayhandlers-registry-key.yml new file mode 100644 index 00000000..687d7b8d --- /dev/null +++ b/nursery/persist-via-autoplayhandlers-registry-key.yml @@ -0,0 +1,22 @@ +rule: + meta: + name: persist via AutoplayHandlers registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://learn.microsoft.com/en-us/windows/win32/shell/how-to-register-a-handler-for-a-device-event + - https://www.hexacorn.com/blog/2019/09/07/beyond-good-ol-run-key-part-114/ + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoplayHandlers\\Handlers\\/i + - or: + - string: /Action/i + - string: /Provider/i + - string: /InitCmd/i diff --git a/nursery/persist-via-bootverificationprogram-registry-key.yml b/nursery/persist-via-bootverificationprogram-registry-key.yml new file mode 100644 index 00000000..de4c0273 --- /dev/null +++ b/nursery/persist-via-bootverificationprogram-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via BootVerificationProgram registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Autostart Execution [T1547] + references: + - https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist + features: + - and: + - match: set registry value + - string: /System\\(CurrentControlSet|ControlSet001)\\Control\\BootVerificationProgram/i + - string: /ImagePath/i diff --git a/nursery/persist-via-code-signing-registry-key.yml b/nursery/persist-via-code-signing-registry-key.yml new file mode 100644 index 00000000..c474c008 --- /dev/null +++ b/nursery/persist-via-code-signing-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via Code signing registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf + features: + - and: + - match: set registry value + - and: + - string: /Microsoft\\Cryptography\\OID\\/i + - string: /^Dll$/i diff --git a/nursery/persist-via-com-hijack.yml b/nursery/persist-via-com-hijack.yml new file mode 100644 index 00000000..69c6a8be --- /dev/null +++ b/nursery/persist-via-com-hijack.yml @@ -0,0 +1,23 @@ +rule: + meta: + name: persist via COM hijack + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution::Component Object Model Hijacking [T1546.015] + references: + - https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking/ + - https://stmxcsr.com/persistence/com-hijacking.html + features: + - and: + - match: set registry value + - or: + - string: /Classes\\CLSID/i + - string: /Classes\\WOW6432Node\\CLSID/i + - or: + - string: /InProcServer32/i + - string: /LocalServer32/i diff --git a/nursery/persist-via-command-processor-registry-key.yml b/nursery/persist-via-command-processor-registry-key.yml new file mode 100644 index 00000000..656f8d99 --- /dev/null +++ b/nursery/persist-via-command-processor-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via Command Processor registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433 + features: + - and: + - match: set registry value + - and: + - string: /Microsoft\\Command Processor/i + - string: /AutoRun/i diff --git a/nursery/persist-via-contextmenuhandlers-registry-key.yml b/nursery/persist-via-contextmenuhandlers-registry-key.yml new file mode 100644 index 00000000..790f7306 --- /dev/null +++ b/nursery/persist-via-contextmenuhandlers-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via ContextMenuHandlers registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://pentestlab.blog/2023/03/13/persistence-context-menu/ + - https://ristbs.github.io/2023/02/15/hijack-explorer-context-menu-for-persistence-and-fun.html + features: + - and: + - match: set registry value + - string: /\\shellex\\ContextMenuHandlers\\/i diff --git a/nursery/persist-via-cor_profiler_path-registry-value.yml b/nursery/persist-via-cor_profiler_path-registry-value.yml new file mode 100644 index 00000000..b9537e57 --- /dev/null +++ b/nursery/persist-via-cor_profiler_path-registry-value.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via COR_PROFILER_PATH registry value + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Hijack Execution Flow::COR_PROFILER [T1574.012] + references: + - https://redcanary.com/blog/threat-detection/cor_profiler-for-persistence/ + features: + - and: + - match: set registry value + - string: /Environment/i + - string: /COR_PROFILER_PATH/i diff --git a/nursery/persist-via-default-file-association-registry-key.yml b/nursery/persist-via-default-file-association-registry-key.yml new file mode 100644 index 00000000..146c23ce --- /dev/null +++ b/nursery/persist-via-default-file-association-registry-key.yml @@ -0,0 +1,21 @@ +rule: + meta: + name: persist via default file association registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution::Change Default File Association [T1546.001] + references: + - https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/default-file-association + - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html + features: + - and: + - match: set registry value + - or: + - string: /\\shell\\open\\command/i + - string: /\\shell\\print\\command/i + - string: /\\shell\\printto\\command/i diff --git a/nursery/persist-via-disk-cleanup-handler-registry-key.yml b/nursery/persist-via-disk-cleanup-handler-registry-key.yml new file mode 100644 index 00000000..8c125df0 --- /dev/null +++ b/nursery/persist-via-disk-cleanup-handler-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via Disk Cleanup Handler registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ + - https://learn.microsoft.com/en-us/windows/win32/lwef/disk-cleanup + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches\\/i diff --git a/nursery/persist-via-dotnet-dbgmanageddebugger-registry-key.yml b/nursery/persist-via-dotnet-dbgmanageddebugger-registry-key.yml new file mode 100644 index 00000000..a949bd29 --- /dev/null +++ b/nursery/persist-via-dotnet-dbgmanageddebugger-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via .NET DbgManagedDebugger registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2022 + features: + - and: + - match: set registry value + - string: /Microsoft\\.NETFramework/i + - string: /DbgManagedDebugger/i diff --git a/nursery/persist-via-dotnet_startup_hooks-registry-key.yml b/nursery/persist-via-dotnet_startup_hooks-registry-key.yml new file mode 100644 index 00000000..2e285fca --- /dev/null +++ b/nursery/persist-via-dotnet_startup_hooks-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via DOTNET_STARTUP_HOOKS registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Hijack Execution Flow::DLL Side-Loading [T1574.002] + references: + - https://github.com/dotnet/runtime/blob/main/docs/design/features/host-startup-hook.md + features: + - and: + - match: set registry value + - string: /Environment/i + - string: /DOTNET_STARTUP_HOOKS/i diff --git a/nursery/persist-via-explorer-tools-registry-key.yml b/nursery/persist-via-explorer-tools-registry-key.yml new file mode 100644 index 00000000..9f1d288d --- /dev/null +++ b/nursery/persist-via-explorer-tools-registry-key.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: persist via Explorer tools registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\/i diff --git a/nursery/persist-via-filter-handlers-registry-key.yml b/nursery/persist-via-filter-handlers-registry-key.yml new file mode 100644 index 00000000..53c0d8c3 --- /dev/null +++ b/nursery/persist-via-filter-handlers-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via Filter Handlers registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://learn.microsoft.com/en-us/windows/win32/search/-search-ifilter-about + features: + - and: + - match: set registry value + - or: + - string: /\\\..*\\PersistentHandler/i + - string: /CLSID\\.*\\PersistentHandler/i diff --git a/nursery/persist-via-group-policy-registry-key.yml b/nursery/persist-via-group-policy-registry-key.yml new file mode 100644 index 00000000..6bfb6bf5 --- /dev/null +++ b/nursery/persist-via-group-policy-registry-key.yml @@ -0,0 +1,21 @@ +rule: + meta: + name: persist via Group Policy registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Autostart Execution [T1547] + references: + - None + features: + - and: + - match: set registry value + - and: + - or: + - string: /Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup\\.*?\\.*/i + - string: /Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Scripts\\.*?\\.*/i + - string: /^Script$/i diff --git a/nursery/persist-via-hhctrl-com-hijack.yml b/nursery/persist-via-hhctrl-com-hijack.yml new file mode 100644 index 00000000..25ce52c9 --- /dev/null +++ b/nursery/persist-via-hhctrl-com-hijack.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: persist via hhctrl COM hijack + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Hijack Execution Flow [T1574] + references: + - https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ + features: + - and: + - match: persist via COM hijack + - string: /{52A2AAAE-085D-4187-97EA-8C30DB990436}/i diff --git a/nursery/persist-via-htmlhelp-author-registry-key.yml b/nursery/persist-via-htmlhelp-author-registry-key.yml new file mode 100644 index 00000000..055ea587 --- /dev/null +++ b/nursery/persist-via-htmlhelp-author-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via HtmlHelp Author registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Hijack Execution Flow [T1574] + references: + - https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ + features: + - and: + - match: set registry value + - and: + - string: /Software\\Microsoft\\HtmlHelp Author/i + - string: /location/i diff --git a/nursery/persist-via-image-file-execution-options-registry-key.yml b/nursery/persist-via-image-file-execution-options-registry-key.yml new file mode 100644 index 00000000..97fc7894 --- /dev/null +++ b/nursery/persist-via-image-file-execution-options-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via Image File Execution Options registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution::Image File Execution Options Injection [T1546.012] + references: + - https://www.malwarebytes.com/blog/101/2015/12/an-introduction-to-image-file-execution-options + - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\/i + - string: /Debugger/i diff --git a/nursery/persist-via-lsa-registry-key.yml b/nursery/persist-via-lsa-registry-key.yml new file mode 100644 index 00000000..645906cc --- /dev/null +++ b/nursery/persist-via-lsa-registry-key.yml @@ -0,0 +1,28 @@ +rule: + meta: + name: persist via LSA registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Autostart Execution::Authentication Package [T1547.002] + - Persistence::Boot or Logon Autostart Execution::Security Support Provider [T1547.005] + references: + - https://learn.microsoft.com/en-us/windows/win32/secauthn/authentication-packages + - https://learn.microsoft.com/en-us/windows/win32/secmgmt/password-filters + features: + - and: + - match: set registry value + - or: + - and: + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Lsa/i + - or: + - string: /Authentication Packages/i + - string: /Notification packages/i + - string: /Security Packages/i + - and: + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\LsaExtensionConfig\\LsaSrv/i + - string: /Extensions/i diff --git a/nursery/persist-via-natural-language-registry-key.yml b/nursery/persist-via-natural-language-registry-key.yml new file mode 100644 index 00000000..60d4afcc --- /dev/null +++ b/nursery/persist-via-natural-language-registry-key.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: persist via Natural Language registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Autostart Execution [T1547] + references: + - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ + features: + - and: + - match: set registry value + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\ContentIndex\\Language\\/i + - or: + - string: /StemmerDLLPathOverride/i + - string: /WBDLLPathOverride/i diff --git a/nursery/persist-via-netsh-registry-key.yml b/nursery/persist-via-netsh-registry-key.yml new file mode 100644 index 00000000..fb955a4b --- /dev/null +++ b/nursery/persist-via-netsh-registry-key.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: persist via Netsh registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/ + features: + - and: + - match: set registry value + - string: /Microsoft\\Netsh/i diff --git a/nursery/persist-via-network-provider-registry-key.yml b/nursery/persist-via-network-provider-registry-key.yml new file mode 100644 index 00000000..26b7e9c7 --- /dev/null +++ b/nursery/persist-via-network-provider-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via Network provider registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Modify Authentication Process::Network Provider DLL [T1556.008] + references: + - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy + features: + - and: + - match: set registry value + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Services\\.*\\NetworkProvider/i + - string: /ProviderPath/i diff --git a/nursery/persist-via-path-registry-key.yml b/nursery/persist-via-path-registry-key.yml new file mode 100644 index 00000000..ad52cf10 --- /dev/null +++ b/nursery/persist-via-path-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via PATH registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Hijack Execution Flow::Path Interception by PATH Environment Variable [T1574.007] + references: + - https://attack.mitre.org/techniques/T1574/007/ + features: + - and: + - match: set registry value + - string: /Environment/i + - string: /^PATH$/i diff --git a/nursery/persist-via-print-monitors-registry-key.yml b/nursery/persist-via-print-monitors-registry-key.yml new file mode 100644 index 00000000..5b19a50e --- /dev/null +++ b/nursery/persist-via-print-monitors-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via Print Monitors registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Autostart Execution::Port Monitors [T1547.010] + references: + - https://stmxcsr.com/persistence/print-monitor.html + - https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor + features: + - and: + - match: set registry value + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Print\\Monitors\\/i + - string: /^Driver$/i diff --git a/nursery/persist-via-rdp-startup-programs-registry-key.yml b/nursery/persist-via-rdp-startup-programs-registry-key.yml new file mode 100644 index 00000000..f7fa1bf9 --- /dev/null +++ b/nursery/persist-via-rdp-startup-programs-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via RDP startup programs registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-inside + - https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist + features: + - and: + - match: set registry value + - string: /SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Terminal Server\\Wds\\rdpwd/i + - string: /^StartupPrograms$/i diff --git a/nursery/persist-via-silentprocessexit-registry-key.yml b/nursery/persist-via-silentprocessexit-registry-key.yml new file mode 100644 index 00000000..029f8048 --- /dev/null +++ b/nursery/persist-via-silentprocessexit-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via SilentProcessExit registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\.*/i + - string: /^MonitorProcess$/i diff --git a/nursery/persist-via-telemetrycontroller-registry-key.yml b/nursery/persist-via-telemetrycontroller-registry-key.yml new file mode 100644 index 00000000..c2634e6e --- /dev/null +++ b/nursery/persist-via-telemetrycontroller-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via TelemetryController registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Scheduled Task/Job [T1053] + references: + - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\/i + - string: /^Command$/i diff --git a/nursery/persist-via-timeproviders-registry-key.yml b/nursery/persist-via-timeproviders-registry-key.yml new file mode 100644 index 00000000..900535a6 --- /dev/null +++ b/nursery/persist-via-timeproviders-registry-key.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: persist via TimeProviders registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Autostart Execution::Time Providers [T1547.003] + references: + - https://stmxcsr.com/persistence/time-provider.html + - https://learn.microsoft.com/en-us/windows/win32/sysinfo/time-provider?redirectedfrom=MSDN + features: + - and: + - match: set registry value + - string: /System\\(CurrentControlSet|ControlSet001)\\Services\\W32Time\\TimeProviders\\/i + - string: /^DllName$/i diff --git a/nursery/persist-via-ts-initialprogram-registry-key.yml b/nursery/persist-via-ts-initialprogram-registry-key.yml new file mode 100644 index 00000000..5bd7ddf0 --- /dev/null +++ b/nursery/persist-via-ts-initialprogram-registry-key.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: persist via TS InitialProgram registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://persistence-info.github.io/Data/tsinitialprogram.html + features: + - and: + - match: set registry value + - or: + - string: /\\Policies\\Microsoft\\Windows NT\\Terminal Services/i + - string: /System\\(CurrentControlSet|ControlSet001)\\Control\\Terminal Server\\WinStations\\RDP-Tcp/i + - string: /^InitialProgram$/i diff --git a/nursery/persist-via-userinitmprlogonscript-registry-value.yml b/nursery/persist-via-userinitmprlogonscript-registry-value.yml new file mode 100644 index 00000000..7022317a --- /dev/null +++ b/nursery/persist-via-userinitmprlogonscript-registry-value.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via UserInitMprLogonScript registry value + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Boot or Logon Initialization Scripts::Logon Script (Windows) [T1037.001] + references: + - https://attack.mitre.org/techniques/T1037/001/ + features: + - and: + - match: set registry value + - string: /Environment/i + - string: /UserInitMprLogonScript/i diff --git a/nursery/persist-via-windows-error-reporting-registry-key.yml b/nursery/persist-via-windows-error-reporting-registry-key.yml new file mode 100644 index 00000000..16ddf3c4 --- /dev/null +++ b/nursery/persist-via-windows-error-reporting-registry-key.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: persist via Windows Error Reporting registry key + namespace: persistence/registry + authors: + - j.j.vannielen@utwente.nl + scopes: + static: function + dynamic: call + att&ck: + - Persistence::Event Triggered Execution [T1546] + references: + - https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ + features: + - and: + - match: set registry value + - string: /Microsoft\\Windows\\Windows Error Reporting\\Hangs/i + - string: /Debugger/i diff --git a/persistence/scheduled-tasks/schedule-task-via-schtasks.yml b/persistence/scheduled-tasks/schedule-task-via-schtasks.yml index 4d7f58a3..8d42215a 100644 --- a/persistence/scheduled-tasks/schedule-task-via-schtasks.yml +++ b/persistence/scheduled-tasks/schedule-task-via-schtasks.yml @@ -4,18 +4,29 @@ rule: namespace: persistence/scheduled-tasks authors: - 0x534a@mailbox.org + - j.j.vannielen@utwente.nl scopes: static: function dynamic: thread att&ck: - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] + references: + - https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-start-page + - https://stmxcsr.com/persistence/scheduled-tasks.html examples: - 79cde1aa711e321b4939805d27e160be:0x401440 features: - - and: - - match: host-interaction/process/create - - or: - - and: - - string: /schtasks/i - - string: /\/create /i - - string: /Register-ScheduledTask /i + - or: + - and: + - match: set registry value + - string: /Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\/i + - string: /^Actions$/i + - and: + - match: host-interaction/process/create + - or: + - and: + - string: /schtasks/i + - or: + - string: /\/change/i + - string: /\/create/i + - string: /Register-ScheduledTask /i